The term computer “hacker” is increasingly used to refer to persons who engage in malicious or illegal activities to gain access to, or attack computer systems without authorization. Such activities by hackers have evolved far beyond those that were simply pranks or caused some minor inconveniences into a key component of highly organized criminal enterprises in which billions of dollars can be made each year.
Hackers often seek to launch attacks on computer systems in an automated manner by using large networks called “botnets” of compromised computers called “bots” (i.e., software robots) or “drones.” While bots can be supported by hosts that bypass most local Internet content regulation (so called “bullet-proof hosts”), bots are primarily found in computers used by innocent home users who are completely unaware that their systems have been taken over and are being used for illegitimate purposes. Botnets are thought to be organized in herds as large as one hundred thousand to a half million or more bots that can be geographically spread over many countries.
Botnets can employ both active and passive attacks. In an active attack, a botnet originates attacking traffic such as spam, adware, or denial of service (“DoS”) traffic which is sent over a network such as the Internet to its victims. In a passive attack, bots function as servers which, when accessed by a user, serve malware such as viruses, rootkits, trojan horses etc., typically using HTTP (Hypertext Transfer Protocol).
Reputation services have been established to address the problem of automated attacks and other hacker activities by compiling black lists of URLs (Uniform Resource Locators) and IP (Internet Protocol) addresses of known adversaries. A variety of technologies such as mail relay servers and firewalls can query the reputation service through an online connection to decide whether to accept traffic from, or send traffic to, a given computer on the Internet.
Current reputation services often run their own laboratories that are equipped with a variety of tools which are used to scan the Internet to locate adversaries and establish the reputation. These tools include web crawlers, honeypots (passive, dummy data or network sites that appear to contain information of value to attract attackers), honey monkeys (virtual computers that visit websites and seek code designed to attack a computer), virtual machines, and other global sensors.
Reputation services face several significant challenges that can affect their use and success in combating hackers. For example, reputation services must reliably detect and confirm adversaries that are deployed in vast numbers all over the world. Hackers can also change URLs and IP addresses of bots very quickly, so reputation services must be able to dynamically respond with equal speed so as not to block legitimate users who might reuse the same URL or IP address a few hours later. This problem of false positives in which URLs and IP addresses of innocent (i.e., non-malicious) computers are wrongly identified as adversaries can cause significant disruptions to users and result in high costs to service providers to resolve disputes and restore services.
This Background is provided to introduce a brief context for the Summary and Detailed Description that follow. This Background is not intended to be an aid in determining the scope of the claimed subject matter nor be viewed as limiting the claimed subject matter to implementations that solve any or all of the disadvantages or problems presented above.